User Access and Authorization

Yonomi relies on your existing OAuth2.0-compliant Identity & Access Management (IAM) solution to authorize requests made to the platform on behalf of your users. In other words, Yonomi uses the very same user access and authorization systems you already use today. This means you won’t need to create and manage users in Yonomi - your existing users simply interact with Yonomi. The Yonomi platform verifies your user requests by validating user tokens against your IAM public key for every request. This identity management flow allows for a seamless user experience between the Yonomi platform, 3rd Party devices and your applications.

📘 What if I don’t have an IAM or don’t have access to configure the one used by my company?

You don’t need your own IAM to get started with Yonomi. The Developer Portal gives you sandbox API access to get you going, and you can worry about the identity details when the time is right.

Authorizing API Calls to Yonomi

All calls to Yonomi Platform must made on behalf of an authorized user. To specify a user and begin making calls to Yonomi, we’ll need to obtain a valid, key-signed JWT ID Token from your Identity and Access Management (IAM) system and place it in the Authorization header variable before executing a call. This follows the standard approach for authenticating HTTP requests.

🚧 I need to obtain what? …From what? Can I just create a user using the Yonomi API?

Essentially, Yonomi relies on your company’s existing Identity and Access Management (IAM) system to authenticate calls against the Yonomi Platform. While this means your developers don’t have to maintain multiple user accounts between your existing solution and Yonomi, many developers don’t work directly with their companies IAM. If you’re building a new solution from scratch then you may not have an IAM with which to begin your work. That’s ok, too - just create a Yonomi Development Portal account and start testing in the sandbox environment.

The approach Yonomi uses to authorize your users is similar to an approach you’ve likely already used on websites when you are offered the option to create a new account using your existing Google, Facebook or Github account and login process as the authorizing authority. In this case, Yonomi relies on your application’s existing user account management infrastructure to verify authorization of your users. This process follows the OAuth2.0 industry-standard protocol for authorization, and is a secure, reliable and efficient model for user management. This authentication approach is much more secure and streamlined for a production implementation and requires less work for your developers to get a solution prototyped, tested and deployed than introducing an additional user account for your developers to maintain.

If you have an existing IAM system you can use your own JWTs with Yonomi. When you’re ready, reach out to Yonomi Customer Success to request a development tenant and we’ll configure it against your JWT. Note the JWT needs to be signed with your IAM’s private key and you’ll need distinct IAM configurations for each of your stages/environments.

Again - if you don’t have an IAM today, no problem, you can get started by creating a Yonomi Development Portal account and begin exploring your solution needs in the portal’s sandbox environment.

Setting the User Token

Once you’re able to generate JWTs and your IAM is configured with your Yonomi tenant, simply set the Authorization HTTP header to the value of your user’s JWT to execute authenticated queries. With the Authorization header set, you’re now ready to begin making GraphQL queries in your own environment.

If you ever find that your calls are reflected as unauthorized when you attempt to run them in the Playground, try replacing the token in the Authorization header with a newly generated, unexpired token.